Posted
by
Zonk
on Friday March 03, 2006 @08:37AM
from the i-want-them-alive-no-disintegrations dept.

Orange Eater writes "eWeek has a story about a group of high-profile security researchers intensifying the search for the command-and-control infrastructure used to power botnets for malicious use. The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity." From the article: "Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers."

Sometimes when i open my older mailboxes (which sadly have no spamcheckers) and need a calculator to count the spam messages, i really feel like i'd rather disable the hacker himself, literally.
I really don't need V!@gr@ nor do i want to buy any other drugs really cheap. And i really don't need the emails that advertise them. Reading e-mail is as private for me as sex is for some other people, if i don't advertise my software products next to your bed while you're having sex, i'd also expect you no

As soon as they start tracking down the web controlled and irc controlled nets, they'll move to gnutella style distributed control systems and i2p style networks of bots. Good luck tracking one of those to it's source. Onion routing anyone?

For many reasonFirst, the attention it already has. Providers are aware of P2P traffic and how it clogs its cables.

Second, lack of control. You cannot control what gets where when with P2P. You cannot say NOW we start to distribute this version, NOW we stop distributing this version. This is essential. Without, you need more sophisticated ways and less reliable ways to tell your trojan if the item it just found is "better" than what it has now.

I'm not sure you're understanding the previous poster. He/she is talking about control networks for botnets, not about distribution mechanisms. Bots and worms can be coded to look for particular filenames on P2P and get their commands from that source. Then they look for the next filename in their list. This is used to direct the bots, not to compromise them.

Well first off, don't assume that what the article says is taking place is actually what is taking place. If I knew a good way to catch bot herders I would not start by telling the bot herders how I am going about it.

The real botnet controllers are people. The DOJ has been arresting a few botherders recently, I blogged about this a week ago [blogspot.com]. I do not know how this is being done but I think its much more likely that they are following the money, not following the bits.

Are all botnet operators dumb? There's a whole heap of things botnet operators could do to insulate themselves and their networks from attack. Examples:

Make the zombies accept commands from messages using asymmetric encryption. Sign your commands and use stenography to hide them in spam/Usenet/websites/images.

Make a P2P network divided into "cells". Have zombies only communicate with five other zombies, relaying commands amongst themselves. If one zombie goes quiet, the zombies talking to it transmit a "compromised" message to their other contacts and disable themselves, finally nuking the hard-drive.

Listen to existing network chatter. Bots are harder to detect if they are hidden inside existing communication. Wait until the user sends an email before sending spam for the first time, so if they have a personal firewall installed, chances are, they'll approve your bot, at which point you can send with impunity. Furthermore, you'll have their smarthost address.

Those are just off the top of my head, I'm sure if it was my actual job to operate a botnet I could come up with something far more sophisticated. So why don't botnet operaters do this? Are they all dumb?

Many of them lack the skills required to do this. Most botnet operators don't make their own bots. The ones that do are the ones you'll never hear about.

So far the perps have been very willing to share attacks. Now that there is money to be made and they are in competition there is a good reason not to share new goodies. It is in the interests of the professional botherders to have lots of script kiddies doing idiotic attacks, being caught and prosecuted. I bet they would even write bots that report the o

Zombies you say? Well, I suppose it depends on the type of zombie. If they are Night of the Living Dead style zombies, then removing the head will indeed kill them. However, if they are Return of the Living Dead type, clearly you need to burn the entire botnet. Of course, the ashy packets would then spread to neighboring datacenters and there'd be hell to pay.

They don't do it because they don't have to. The goal is to maintain control over a large number of machines. Currently, the barrier to entry in this market is pretty low. If many of the control nodes are taken out, the botnet operators will change their methods to be more resilient.

Botnets are about numbers of machines. Destroying a node (ie, formatting the hard drive) lowers the number of machines. As long as the rate of compromise is greater than the rate of attrition, the botnet will continue to grow and that is good. In this case, doing harm to users is bad business for the botnet operators. Anyway, setting up the botnet as a series of cells means that any cell being compromised has a limited impact.

I don't assume that computer criminals are dumb. A single felony conviction for youthful stupidity can prevent an otherwise talented technical person from getting any job in many large companies. Organized crime doesn't discriminate against these people and can pay pretty well. There are a lot of security experts who are in their roles today because they never got caught and prosecuted for some of the things they did in the past.

I first heard of the idea of using spam as a communication medium 3-4 years ago. I wouldn't be surprised if this is already being done. There's so much spam that finding a signal in all that noise would be difficult. Unless you knew exactly what you were looking for, you wouldn't be likely to find it.

This is why when I hear about our various governments wanting to sniff everyone's email as a pointless waste of time. A spam run is even better than a numbers station (http://en.wikipedia.org/wiki/Numbers_station [wikipedia.org]) because it's a lot more subtle (unlike a numbers station which you can tell where it is and when a new one pops up, it's obvious, and just like a numbers station there's no way to tell from a message hidden in spam who the intended recipient is).

As someone who has intimate knowledge about hijacking computers (i have plenty of friends from my..er.. darker days), a lot of these botnet creators employ "features" such as port knocking and stealth commands (may appear as a simple https response) which are usually encrypted. You may be able to stop the sloppy botnets, but I can tell you now that this is not an easy problem to stop nor a friendly society to penetrate. And as a previous poster foreshadowed, a lot of them are already distributed due to the ease of shutting down a headnode. Botnet creators constantly evolve, how do you think they became so elaborate today?

People write bots and operate bot nets because there is money to be made from this kind of operation. Numerous stories have been posted here and elsewhere about botnets bringing down big companies' servers or being used to extort money. This means there is a lot of money to be earned (especially in countries with no decent judical system and/or high levels of corruption), so obviously it attracts talented folks.What this whole story brings to us is not, that AV and security experts deal with botnets (they'v

Typical security theatre from people who just don't know much about security. None of those things will accomplish anything, because it's the same old DRM problem - if it has to run on the target host, then the person controlling that host can analyse it, reverse engineer it, and discover how it works. Having done that they can defeat it. It doesn't matter how much you encrypt or hide the communication between the loser running the botnet and the infected host - that host can be 'compromised' by a person with physical access.

Of course, if something like Palladium ever became a reality, this would no longer be the case, which would be the security disaster everybody has been warning about.

Also, anonymising systems like freenet are designed specifically to protect the identity of the person inserting information, so it's not necessarily possible to track down the one controlling the botnet.

But it is very easy to defeat security theatre like port knocking and 'stealth' commands. We are always going to know precisely what the infected host is doing in one of these things.

None of that matters though. While it could be effective in the short term to track these people back from the infected hosts, it's far more realistic to track them forwards from their clients. Money is much easier to follow.

Granted, you're always going to be able to reverse engineer a comprimised host. The issue is that it doesn't matter - the aim is to make it take long enough that the return on investment is made, then the bad guys win.

whereas I respect your oppinion, I doubt that they are as sophisticated as you say. I mean, what if the authorities analyze the network traffic in and out of all ISPs? Controlling a massive DDoS attack has quite a different pattern than browsing for sports or news or downloading a movie.

user logs into computer and connects to banking site to check balances. trojan sends a similiar https packet to decentralized bot network. bot network responds with host to attack and time to do it. trojan later begins attacking host, which could be at a time months in the future. sure if you're logging all traffic from that machine you can tell when it first occurred, but how do you know a few days/weeks/months in the past who they are going to hit and when?

That's an attack that could easily be countered. DDoSs are so 90s.:)Seriously now. A DDoS can be stopped. Not at the source, but at the ISP connecting you. You can't of course stop the attack from happening, but you can use powerful and sophisticated filtering and load sharing systems to stay online. A number of attacks, together with an accompanying blackmail ("pay or else we flood you"), has happened to a few services that rely heavily on internet access, namely online betting shops.

This will have to go beyond simple traffic scanning. If not how would they determine whether a group of machines are bots or are simply responding to SETI@home or whatever other distributed systems are running over the 'net?

Seems like at some level there will have to be a human protocol that decides which traffic is naughty and which is nice. Humans can be manipulated and protocols spoofed. If this weren't the case we wouldn't be having this discussion in the first place.

No messages have been posted to the botlist yet. I subscribed and thought I'd check out the archive... it's empty. Seems like they'd advertise lists that were up and running with content, not lists w/o any. Perhaps it was setup by bot masters so they'd know who to pick-off?

So far, any reaction from the "good" guys of the net caused a reaction from the "bad" guys. You turn something off? Ok. Next!

Turn IRC off and they'll do it via usenet and have the bot read a certain (not too spammy) group religiously for his master's voice.

When you turn that off, they'll find another way. There are so many communication tools out there, so many protocols, from MSN to Skype, and they all can and will be abused to keep the botbrain in tough with his zombies.

Futile. The only chance is to cut the machines from the 'net that contain those trojans.

Turn IRC off and they'll do it via usenet and have the bot read a certain (not too spammy) group religiously for his master's voice

Or from right here on slashdot.... Ive seen the pages come across, usually has something like HELLO WOLRD on the first couple of lines, then a series of numbers/characters obviously formatted in a pattern, then ends with another obvious terminator. It looks so blatently like a crypted message I reported it to Taco/other maintainers, but they just closed the ticket with "securit

Obviously grabbing random traffic and scanning it isn't going to work. They need to "capture" one of the bots, and study it. Watch all the traffic coming and going, disassemble the software that receives and executes the commands. Then they'd have a solid base for knowing how to track and/or block traffic like that, at least for that one bot variant. So, they'd have to do that for every bot network out there. And who knows how many there really are, or how different they are.

When they came into fashion, botnets were mostly comprised of infected machines that got little to no updates. They existed, some bots were discovered and eventually it phased out, only to be replaced by others. The connection was made to a static IRC Server and/or channel, the commands were static, eventually they were discovered and cut off.

Then anti-virus and security companies got aware of the problem and started to counter it. The result were updating bots that reloaded part of their code, some configuration script or a completely new code from a static server. When we started to hunt down the update servers, update servers became dynamic as well.

Today, botnets have a faster and more reliable update mechanism than some commercial products. More fallback servers than most companies. And a faster response time to "blackouts" than anyone in the (legal) commercial 'net.

Another development such nets go through, right as we're talking, is that more and more of the bots get more and more features. Earlier, you had a bot that connects a spam net, another one with keylogging, another one that offers DDoS Sheep properties and so on. More and more, those features become incorporated in one bot. Instead of specialists, you get generalists.

Today you have trojans that create proxies, at the same time they harvest your passwords, especially interested in your server passwords (to turn your personal homepage server in an update box for them), log your input (especially when you're dealing with online services that require money transfer, like paypal or ebay) and use you to send sex-spam out to others.

Those sex-spam sites contain adware popups, those in turn are infected with 0day exploits like the WMF-exploit was. Those in turn contain more trojans.

This all is not necessarily done by one and the same attacker. You can buy and sell those "services". One person or group creating the adware dropper, selling its finding to another group who uses it to get a sheep onto the computer, those in turn sell them to someone who wants to conduct a DDoS attack. Or they sell it to a keylogger, who then uses this to harvest your login data to some pay services to transfer your money or buy stuff for your money.

The biggest problem with spam and viruses and worms is that the federal authorities, specifically those in the United States, don't seem to give a damn about going after these criminals. They don't need to pass any new laws. Computer tampering is computer tampering and the feds are either ignorant or scared, or being told to prioritize the prosecution of these cases as low priority. If you start nailing these people, things will dramatically slow down, but the real reason spam and other attacks are increasing is because enforcement hasn't gotten off its lazy ass and started to prosecute more of these criminals. The way I figure, when Wal-Mart is interrupted by some massive bot-net, then and only then will the government suddenly recognize this is a really bad thing that needs to be dealt with.

Solution is simple. Tell the Feds botnets are being used by terrorists.
Once they get the idea that these bot nets are being used to distribute terrorist information, crack military encryption for the terrorists and target American soldiers, and fund terrorists, Homeland security will be busting down doors.
Or they will create the "Patriotic Computer Act" which forces all computers to run Federally approved anti-terrorist software, you know, the stuff to keep these evil botnets from occuring on your com

I think these [honeyclient.org] folks are headedd in the right direction when it comes to destroying botnets.

From their page:
Kathy Wang ToorCon 2005
So, what's a honeyclient?
Honeyclients provide the capability to
proactively detect client-side exploits
Drives client application to connect to servers
Any changes made to honeyclient system are
unauthorized - no false positives!
We can detect exploits without prior signatures

What can honeyclients do for you?
Allows proactive monitoring of malicious
servers
Allows d

Netstat. Ooh I'm connected to some weird server. Ethereal, ooh I see a password being sent to join this IRC server/channel. Choose a suitable name with X-Chat or BitchX and join the channel, see the commands fly by. But don't say anything.

I've done it many times whenever I've managed to isolate one of these trojans in Virtual PC. I've also watched the commanders having a great big "LOL" in channel, and felt awful that if I said anything it'd blow my cover. Try it today.

> In the U.S., Microsoft is developing Vista; in the U.K; they are. Does that> affect words like 'group?' Anyone from the UK to comment?I've seen/heard both.

A quick Google reviews this:http://news.bbc.co.uk/1/hi/programmes/radio_newsro om/1099593.stm [bbc.co.uk] -----Collective nounscan be singular or plural. The only rule is: you must be consistent. "Marks and Spencer is selling a new biscuit. They say it's the best ever made" is the type of rubbish we broadcast far too often. In a sporting context, teams are alw